Solved: ASA LDAP is not finding memberOf Active Directory group Domain Users

ngkuchman · ‎10-17-2012

It seems no matter what group I add an account to the ldap memberOf finds it except for the Domain Users group. Is there a specific exclusion of this group somewhere? It doesn't appear to be an issue with the space in the name because if I test with other default groups like Domain Admins it works. I am getting the same result from both the ldap attribute map as well as trying to use the Domain Users group in a DAP policy. A debug ldap 255 returns every other group membership for an account except for Domain Users.

When I issue the command 'sh ad-group LDAP filter "Domain " ' the Domain Users group is in the results list, so it is able to see it and it exists.

Jennifer Halim · ‎10-18-2012

Please see the attached link under primaryGroupID, which states that the
Domain Users group is not part of the memberOf attribute.
http://msdn.microsoft.com/en-us/library/ms677943.aspx

That explains why the mapping fails for any Domain Users as seen in the debugs

View solution in original post

Jennifer Halim · ‎10-18-2012

Please see the attached link under primaryGroupID, which states that the
Domain Users group is not part of the memberOf attribute.
http://msdn.microsoft.com/en-us/library/ms677943.aspx

That explains why the mapping fails for any Domain Users as seen in the debugs

ngkuchman · ‎10-18-2012

Thanks for the info. Based on your input I have created 2 different DAPs, one using the primaryGoupID of 513 to capture the standard account Domain Users and one that uses memberOf = Domain Users for any accounts that might have had there primaryGroupID changed. It seems to be working.